Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


III. Privacy issues

Data protection rules

Peru does not have comprehensive data protection legislation. However, numerous specific legal regulations protect privacy, and the Ombudsman, in some cases, does the work of a data protection agency.1 In August 2004, the Ministry of Justice published a report about a bill on data protection. It contains provisions related to general data protection principles pursuant to the Peruvian Constitution, and is based on the European Union Data Protection Directive and the Spanish Data Protection Acts of 1992 and 1999. It contains provisions on data subjects' rights, data controllers' obligations, the supervisory authority as well as sanctions. If the bill is passed, existing data protection regulations (including bank, disabilities and credit card regulations) would have to be adapted to it.2

In August 2004, the Ministry of Justice published a report about a bill on data protection. The bill contains provisions related to general data protection principles pursuant to the Peruvian Constitution, and is based on the European Union Data Protection Directive 95/46/EC.3 It contains provisions on data subjects' rights, data controllers' obligations, and sanctions, among others. If the bill were passed, the current data protection regulations (including bank, disabilities and credit card regulations) would have to be adapted to it.4 The bill creates a Data Protection Authority that would be assumed by the Ministry of Justice.5 At the end of the presidential period 2001-2006 in July 2006, the data protection bill was approved as an Executive Branch’s legislative initiative but it was not delivered to the Congress. In May 2007, the new Government began evaluating the bill in order to decide whether it will be delivered to the Congress as an Executive Branch initiative.6

In August 2001, Peru enacted a data protection law covering private credit reporting agencies called Centrales Privadas de Información de Riesgos (CEPIRS).7 These private companies are in charge of collecting and processing the credit risk information of individuals and companies whose information is recorded in databases. The law regulates the incorporation of credit bureaus, qualifications for shareholders, and the sources of information they can use. Similar to Article 12 of the EU Data Protection Directive, it sets out the information that must be provided to the data subject when the data has not been obtained from him or her. In addition, the law prohibits credit bureaus from collecting sensitive information, data violating the confidentiality of bank or tax records, inaccurate or outdated information, bankruptcy records older than five years, and other debtors' records five years after the debt has been paid. It provides that credit agencies must adopt security measures, and that individuals have the following rights: 1) the right to access their personal data; 2) the right to modify or delete their personal data; 3) the right to rectify personal data that is illegal, inexact, erroneous or expired; and 4) jurisdictional trusteeship or jurisdictional protection (tutela jurisdiccional). The CEPIRS has an obligation to adopt the appropriate technical and administrative measures aimed to ensure the security of the personal data they manage, in order to prevent alteration, loss and unauthorized processing or access. The law also creates a strict liability regime. The Agency for Consumer Protection of the National Institute for the Defense of Competition and the Protection of Intellectual Property (INDECOPI)8 is in charge of applying fines for violation of the law, and issuing injunctions to correct errors.

Statutory rules on privacy

The Civil Code of 1984 considers the intimacy of private life, in all its aspects, as worthy of legal protection, subject only to limitations where there is consent by the person concerned, a social interest, or a reason of public order. Article 14 of the Civil Code states that "personal and family intimacy may not be made public without the consent of the person." This article aims at regulating snooping, and other behavior that interferes with someone's private life, or that constitutes an illegal search of a person's goods or properties.9

Article 69 of the Penal Code10 establishes that "anyone who has completed a penalty or security measure11 imposed on them by the court must be rehabilitated in society without further proceedings. The rehabilitation produces the following effects: . . . 2. The cancellation of their criminal, judicial and police official records. These certificates do not have to express the penalty nor the rehabilitation." In crimes against the individual’s honor (insult, calumny, defamation), Article 135 states that "the evidence is never admitted by the court in any case if: . . . 2. [t]he imputation pertains to personal and family intimacy, or a crime against sexual freedom."

Article 154 of the Penal Code states that "a person who violates personal or family privacy, whether by watching, listening to, or recording an act, a word, a piece of writing or an image, using technical instruments or processes and other means, shall be punished with imprisonment for no longer than two years." Article 157 criminalizes the disclosure of sensitive data including "political and religious convictions" and other aspects of private life.

Article 161 of the Penal Code establishes "that a person who unlawfully opens a letter, document, telegram, radio telegram, telephone message, or other document of a similar nature that is not addressed to him, or unlawfully takes possession of any such document even if it is open, shall be liable to imprisonment of not more than two years and to a fine of between 60 and 90 days." 12 A sentence of not less than one year, and not more than three years, is to be given to any "person who unlawfully interferes with, or listens to, a telephone or similar conversation." Public servants guilty of the same crime must serve not less than three and not more than five years, and must be dismissed from their post. A person who unlawfully tampers with, deletes, or misdirects, "the address on a letter or telegram," but does not open it, "is liable to 20 to 52 days of community service."13

In the General Health Law, Article 15 established that anyone that uses health services has the right of dignity, privacy and to demand the secretiveness of the medical information and his clinical history with the exceptions provided by Law.14

The Organic Law of the National Identification and Civil Status Registry (1995) created an autonomous agency which may "collaborate with the exercise of the functions of pertinent political and judicial authorities in order to identify persons" but is "vigilant regarding restrictions with respect to the privacy and identity of the person" and "guarantees the privacy of its registered individuals' personal data." The Law also requires all persons to carry a national identity document featuring a corresponding number, photograph, and fingerprint.15

Any person has the right to request, for a fee and without having to disclose the reason for doing so, copy of the documentation that exists in the Public Registries. However, Article 128 of the General Regulation of Public Registries, relating to the publicity of the registries, provides: "[w]hen the information requested affects the right to privacy (intimidad), this information can only be granted to those who demonstrate legitimate interest, according to the regulations established by the National Superintendent of the Public Registries (Superintendencia Nacional de los Registros P√∫blicos)".

Public Registries handle information that may be sensitive. This might include, for example, information from the Personal Registry such as judicial rulings regarding someone's mental status, separation agreements between spouses, or child custody rulings. The office of Lima (and several of the main registry offices in Peru) has an online service for subscribers. Soon, the interconnection between all offices of Public Registries in Peru will be completed, making it possible to access them from any computer connected to the Internet.

In January 2002, a law creating a National Registry of Persons with Disabilities was adopted.16 The registry is administered by the National Council of Integration of Persons with Disabilities (CONADIS). The personal data included in the registry is confidential. It can only be used for scientific and technical statistical objectives.

The General Financial and Insurance System and the Organic Banking and Insurance Superintendence Law (Ley General del Sistema Financiero y del Sistema de Seguros y Org√°nica de la Superintendencia de Banca y Seguros) prohibits financial institutions, as well as their directors and workers, from providing any information regarding their clients' transactions, except upon written authorization from the clients, or unless the transactions fall within one of the banking secrecy provisions. Infringement of this prohibition is punishable as serious labor misconduct or it may be punishable with a fine.17

On April 12, 2005, a new law (Law No. 28493)18 was enacted to regulate the use of unsolicited commercial e-mails ("spam"). The law does not determine whether the user has to grant his express authorization to receive spam (opt-in), or reject it once he has received it (opt-out). It indicates that all spam that originates from Peru must contain specific items of information such as the word "publicity" in the subject of the message, the name of the natural or legal person who sent the spam, and a valid and active e-mail address that can be used to opt-out. Spam is considered illegal when it does not fulfill Article 5, when the e-mail contains false or misleading information, or when the sender of spam does not comply with opt-out requests. The law also provides damages for individuals being spammed.19

Article 4 of the Law of Telecommunications20 states that "all persons have the right to the inviolability and secrecy of their telecommunications. The Ministry of Transports, Communications, Housing and Construction is in charge of protecting this right." Every concession contract of public services of telecommunications has to indicate the guarantees that service providers must offer to ensure the secrecy of communications. What constitute very serious infractions to the concession contract are: "the interception or unauthorized interference of services of telecommunications that are not available for free use by the general public" and the "spreading of the existence or content, or the publication, or any other use, of all type of data obtained by means of the interception or interference of the services of telecommunications not meant for general public use."21

The General Regulation of the Law of Telecommunications provides that "it is a violation of the secrecy of telecommunications for a person, who is not the one who originates nor is the addressee of a communication, to deliberately remove, intercept, interfere, change or alter its text, turn aside the course, publish, disclose, use, try to know; or facilitate for another person to know about the existence or content of any communication. . . . The concessionaires of public services of telecommunications are forced to safeguard the secrecy of telecommunications and protect personal data. They also have to adopt the reasonable measures and procedures to guarantee the inviolability and secrecy of the communications; as well as to maintain the confidentiality of their users' personal information obtained in the course of business, except if users have provided their prior, written and express consent, or if there is a judicial warrant. The holders of private services of telecommunications will have to adopt their own security measures to provide for the inviolability and secrecy of telecommunications."22